Reflections on RSA Conference 2015 Abu Dhabi

RSA Conference goes to the Middle East for the first time with RSA Conference 2015 Abu Dhabi. Rashed Al Oraimi, lead technologist at Booz Allen Hamilton, provided the following report.

It was the last working day of the week in Abu Dhabi, and most of us were planning our weekends with family, yet the floors at Emirate Palace hotel were jam-packed with computer security professionals and companies for the RSA Conference.

I started my day with interesting session on "Modern Cryptography" by Dr. Najwa Aaraj, VP of special projects at DarkMatter. She explained one of the complex topics in cybersecurity in simple and plain words to a large audience with different background and interests. She highlighted the importance of correct and proper implementation of cryptographic solutions rather than solely relying on internal cryptography implementations and strong mathematical algorithms used in the products. A weak implementation of a best cryptographic product in the world would be of no use and may only provide false sense of security to the organisation. This was the main take away from her session.

Gavin Millard, the Technical Director of Tenable Network Security, gave very thoughtful insight on wrong priorities and agenda-less implementation by security professionals in his session at RSA Conference. He said that we fail when it comes to making our security agenda; Most of the time we put the less important and less urgent before the more important and urgent. There are many reasons behind this issue. Media might be one. Looking at the higher-impact risk and forgetting the relevancy of this risk could be the other.

Millard gave a very interesting example—that if we ask a CISO of an organization what could be the threat you worry about the most, he would tell you that it is the "Zero Day Attack," but if you look at the infrastructure he is responsible to protect, you will find a lot of thousand-day vulnerabilities (as Millard called it), where these vulnerabilities are well known and many exploits have been developed for these vulnerabilities. "Why [would] an attacker would try to exploit Zero Days when he has easier targets?" I think this statement from Millard should make most of the CISO revisit their 2016 security budgets and priorities.

I didn’t know much about "Darknet" until I attended the session by Greg Jones, the Director of Digital Assurance. He discussed the technical details of the technology and history behind the Darknet. In the second part of his speech, Jones showed how the project—which was developed for good reasons such as privacy and anonymity—became a haven and a playground for bad guys, where illegal traders offer services and products like illegal drugs, guns and even stolen bikes! He also described how someone can buy these product without using credit cards. Thanks for the bitcoins! His session was an eye opener for me—and for most of the audience—about a topic that obviously needs more attention and research. Thanks Greg!

At the closing session of the event today, Richard Clarke delivered a powerful keynote. He is a great public speaker and author. I have read his book about cyberwarfare, translated into Arabic by the Emirates Center of Strategic Studies and Researches in Abu Dhabi, and he was also a guest speaker in the same center.

Clark said that that nations spend more time and effort developing the offensive side of their cyber capabilities, but when it comes to the defensive capabilities, they fail most of the time. Several incidents have shown this weakness. Clark gave the example of the Stuxnet attack against the Iranian nuclear reactors. The challenge was to infect the reactor with a malware even when the systems used in the reactor were not connected to the Internet. They were isolated from the outside world, yet the United States (according to Clark) succeeded in this targeted attack. Interestingly, Iranians were expecting some sort of attack from the U.S,, and they thought they were prepared to handle such an attack.

On the other side, when an attack was launched against the financial sector of the United States, which paralyzed some of the top U.S. banking systems, no one could stop the attack (again according to Clark), since there was a false assumption that the U.S. government would defend non-governmental entities when an attack of such a scale was launched against any entity in the U.S. The government did not.

Clark concluded that regulation can be the solution to raise the security level of critical infrastructure, and international agreements to fight cybercrimes are very vital in this battle.